[EN] LastPass mitigates credentials-stealing phishing attack

Popular credentials manager LastPass has taken steps to counter a "very simple" phishing attack that could see users' passwords, email addresses and two-factor authentication tokens stolen.

Researcher Sean Cassidy posted proof of a successful phishing attack using a faked LastPass notification in a web browser earlier this month, following a presentation at hacker conference Schmoocon.

By setting up a malicious website that displays notifications telling users their LastPass sessions have expired, Cassidy was able to create a page that lured people into entering their credentials for the password manager.

The researcher called the attack LostPass. A successful capture of user LastPass credentials would allow attackers full access to all login details stored in the password manager.

According to Cassidy, the attack works best on the popular Google Chrome web browser.

LastPass has since made changes to its browser notification and alerts systems, and now requires email confirmation for all logins from new IP addresses, which Cassidy says substantially mitigates against his attack.

The company is also looking into using a different method for notifications than the web browser viewport below the tab and link address bar, where Cassidy created the fake warnings about session expiry.

LastPass has also asked Google to help make the viewport area more secure for to use, or to provide an alternative for notifications.

Cassidy noted that in general terms, web browser extensions are riskier than native applications that run on the operating system.

Also, having an publicly accessible application programming interface makes it easier to steal a great deal of data, he said.

Cassidy cautioned that users should only store frequently used and low-risk data in LastPass and other password managers.

Too many people still use terrible passwords

Daniel Cooper
01.19.16

The fifth annual SplashData chart of the Internet's worst passwords is out, and it looks like people just can't learn the lesson. The firm has aggregated the passwords from around two million that were leaked in 2015, finding that basic, easy-to-guess terms are still in abundance. The most popular code behind which people store their valuables is "123456," with "password" sitting comfortably in second place.

One thing that you can glean from the information is that people who use such easily-guessable passwords are also led by pop culture and sports. For instance, some of the newer entries on the list include "solo," "princess" and "starwars," while "football" and "baseball" are also in the top 25. As smart as you may think you're being by using the phrase "passw0rd," it's an idea that's been used by thousands, if not hundreds of thousands of other computer users. We've included the full run down below, and if you spot one on this list that you use, consider this a wake-up call.